Stupid CGI.PM cookies!

Seumas has asked for the wisdom of the Perl Monks concerning the following question:

Okay, so this isn't exactly a problem with CGI.pm. However, I am giving myself a severe headache trying to battle this problem. I have many thousands of users and countless browser variations. I use cookies to log users into the site and maintain their session. However, I have found that the following code works differently based on the browser:

$cookie_out = $query->cookie( -name=>$cookie_name, -value=>$cookie_val
+ue, -expires=>1400m, -path=>'/',                                     
+                                                       -domain=>$cook
+ie_domain);
[download]

The above works with Netscape 4.7, Netscape 3x and WebTV. It does not work with MSIE 6.0 (not sure about earlier versions since I can't figure out how to have multiple MSIE versions installed on one box). It does not work with Mozilla. It does not work with Opera. If I remove the -domain=>, it will work eith everything except Netscape 4.7 and WebTV. Further, the following works with everything except WebTV:

print $query->header(-cookie=>$cookie_out, -refresh=>"0; URL=$config{b
+aseurl}/?c=TestCookie",);

print $query->start_html(-title=>'.');
print $query->end_html;
[download]

For this to work with WebTV, I have to substitute the CGI.pm -refresh=> with the following:


print "<META HTTP-EQUIV=Refresh CONTENT=\"0; URL=$config{baseurl}/$con
+fig{script_filename}?c=TestCookie\">";
[download]

I just want this to work for all browsers. I have set up some if/elsif's to accomodate various browsers and build the cookie and cookie page correctly based on what browser/version HTTP::BrowserDetect gets from the user-agent string. However, there are so many variations of user-agent strings and browsers that I still have a lot of users who just can't get cookies to work with us. I'm so fscking frustrated that I'm about two seconds away from bashing my head into the wall. Desperate for help!

Comment on Stupid CGI.PM cookies! Select or Download Code

Replies are listed 'Best First'.
Re: Stupid CGI.PM cookies! by dws (Chancellor) on Oct 11, 2002 at 01:37 UTC
Try changing `-expires=>1400m` to `-expires=>'+1400m'` and verify that your server has the correct time set. Also, check that `$cookiedomain` is correctly formed, per the doc in the CGI.pm POD (hint: it needs to contain at least two periods).	[reply] [d/l] [select]
Re: Re: Stupid CGI.PM cookies! by Seumas (Curate) on Oct 11, 2002 at 14:20 UTC
My bad on the -expires. I do have it properly formatted, but in the process of modifying my code (stripping out all the long-winded variables) for presentation here, I deleted the +. It's been a long day. :) My -expires straight from the code looks like this: `-expires=>"+" . $config{cookie_expiration_time} . "m",` [download] As for the cookie domain, the exact code is the following, with $config{cookie_domain} set to the proper '.domain.com'. `-domain=>$config{cookie_domain});` I have done a lot of google searching over the weeks looking for some explanation of why some browsers wouldn't work with -domain and have found no explanation. And since Netscape wrote the cookie specifications, I doubt that they would fail to adhere to one of the simplest aspects of it. To be sure, I'm not positive what actually is the problem here outside of the -domain peculiarity. It is the only solid behavior I've nailed down and it leads me to think the overall problem causing cookies to fail on my site is that since I decide whether to use -domain when sending a cookie depends on what browser I've detected the user is visiting with, then on some oddball user-agent strings, the detection is failing and I'm sending a -domain when I shouldn't be.	[reply] [d/l] [select]
Re: Stupid CGI.PM cookies! by chromatic (Archbishop) on Oct 11, 2002 at 02:07 UTC
IE 6 may be being super paranoid with P3P cookies. This is a real pain to detect, but it's just a lot of busywork to fix.	[reply]
Re: Re: Stupid CGI.PM cookies! by Seumas (Curate) on Oct 11, 2002 at 14:56 UTC
Actually, IE doesn't seem to be giving my any problem. IE (6 at least) and Mozilla are content with my cookies as long as they have the -domain set. I thought this must be a very well known problem since thousands of others out there have to manage cookies for multiple browsers with CGI.pm, but googling for any evidence of that turns up nothing. I had considered trying to setup something with Apache::Sessions or some other solution, but since I already use CGI.pm elsewhere in the script and the cookie handling that I've devised is very simple (I set a double-MD5-hashed string in the cookie, read the cookie in, compare it to a database with the uid/session_id and that's it). There shouldn't be a lot to go wrong here! Netscape 4.7 and WebTV seem to have a problem with -domain for certain. Others may as well, but my browser testbed is only so diverse. Since all the browsers should accept -domain it seems a problem with Netscape and WebTV rather than with IE (although I agree on the frustration of the P3P Cookies bit).	[reply]
SOLUTION by Seumas (Curate) on Oct 19, 2002 at 04:53 UTC
Here is the solution I stumbled upon while playing around with the code. First, I removed the -domain=> entirely. Unless I specifically need that, the browser should (and seems to) use the existing hostname/domain without any problem. Second, I removed all of the header that is sent to the browser to set the cookie and replaced it simply with this: `print $query->redirect(-url=>'http://mydomain.com/beta.cgi?c=TestCooki +e', -cookie=>$cookie_out);` [download] That has apparently solved my problem. I can use it successfully in MSIE 6, Opera 6, Netscape 4x and Mozilla 1x.	[reply] [d/l]


go ahead... be a heretic
	PerlMonks